In celebration of Cyber Security Awareness Month, we asked those who have followed a career in cyber across the globe for their stories, advice, and how they see the sector’s future.
“I loved breaking things!”
As reasons go for starting a career in cyber, Hossam Eltahawy, a Senior Cyber Security Consultant & Leader, certainly had an interesting one. At the same time, it’s not difficult to understand why it helped. Faith in a security system can only be achieved through rigorous testing. If you haven’t tried to identify something’s weaknesses, how can you be sure that it is strong enough to withstand an attack?
While Eltahawy’s hobby is not one shared by the majority of the community, it’s clear that having passion is an all-important factor when pursuing a career in cyber.
Alexandra Mercz, Information Security Chief of Staff, says: “I have always been passionate about technology, and specifically how it can be used to improve people’s lives. With the increasing importance of cloud computing, I believe that the security of company and personal data in the cloud is becoming more and more important. This led me down the path of cyber security.”
Amrah Mazhar took up a role after eight years away from the world of work, during which time she focused on family. As she notes, “I had to find my passion. Where your passion is, is where you achieve excellence”. Although it was rare for somebody with her overall experience, she decided to take an internship as her first step into cyber.
Some were fascinated by hacking from a young age. Taoufik Fares, a Cyber Team Manager working in France, remembers owning his first HP computer with a Pentium II processor back in 2000. With it, he found he could annoy his friends by controlling their PCs, changing their desktop wallpapers, or messing around with their disc drives. He has since worked in over 15 countries as a consultant on cyber security.
For others, it was just an interest in computers that sparked their move toward security. Sebastian Wieseler, originally from Germany, now works in Singapore as a Senior IT Security & Compliance Specialist. Although he was fascinated by computers and technology from a young age, his specialization and passion for security came at university.
Not everybody who works in the sector began their studies at school or university, though, and this has only served to benefit them in their career in cyber. For Mercz, an alternative education has been extremely useful: “My background in international business administration, combined with my knowledge of cloud computing and cyber security, enables me to understand the perspective of our business leaders, and ensure that the cyber security solutions meet business requirements.”
It’s a similar story for Kirt Cathey, who lived in Guam and America before moving to Japan, where he now works. Cathey had been an early adopter of the household computer in the 1980s and saw the growth of technology in San Francisco, where he majored in Japanese Studies. Having held a range of jobs in Guam, including setting up a guitar shop, it was his bilingual skills that stood him in good stead in cyber. As he points out, “In cyber [the ability to speak multiple languages] was a scarce commodity”.
Dominic Grunden is a CISO based in Myanmar and has worked across Europe and Asia. He fell in love with IT when volunteering to help install cables in a local school system – a useful skill, it transpired. “You had to be a jack-of-all-trades back then! You had to know how to do cabling, workstations and servers.”
Seiji Kiyokawa, Director of Information Security and BCP, reminisces when discussing his early career in the UK as a firewall engineer, “At the time, it was the simple era - if you had a firewall and an antivirus solution, you were good!”. He had studied Computer Science in London before going into further studies with information security.
Burt Kulach took a less traditional route into the industry, albeit one that still began in the world of IT. His journey started at his first job when he was 17, where the CEO, a former developer, was so sure of his security that he challenged Kulach to circumvent the controls. It took Kulach just three weeks. This was not his first taste of hacking, though; he’d previously entered his school server to access the questions for upcoming exam papers!
While Kulach, whose career in cyber since has taken him to Japan and then the Netherlands, found his early influence in his CEO, others’ role models vary. Grunden points to Bill Gates and Steve Jobs, both of whom were seen as icons when he started out. In contrast, Fares says that many enthusiasts from his generation viewed famous hacker Kevin Mitnick as the figurehead of the movement.
For Kiyokawa, his major inspirations not only shaped his career path and attitudes, but also his approach to leadership. He cites Jim Desmond, Brad Wirths and Mohamed Hafeel at Asurion as his influences.
Six of our interviewees. Top row (L-R): Taoufik Fares, Dominic Grunden, Seiji Kiyokawa. Bottom row (L-R): Bart Kulach, Alexandra Mercz, Sebastian Wieseler.
The cyber industry has not grown at an equal rate across the globe, which is often down to a difference in perspective and attitude. Eltahawy points out that in the UK, the legislation and regulations (in particular GDPR) made it easier to get buy-in and support from senior management, which helped move the status of cyber threats from just “IT risks” to “business risks”. However, he notes, “Up until now, we don’t have a similar legislation here in Australia. The emphasis on security is still not at the same level”. He is starting to see a shift, though: “Certainly, cyber security is improving within Australia. I think it is a matter of time. Within three years we’ll be in a way better position than we are right now”.
Another key factor is the skills shortage. Mazhar believes that the labor shortage in Australia is having an impact, but what is the reason? Grunden has his theory: “In the United States, historically, the FBI would never hire anybody who wasn’t wearing a suit and tie. Now they have cyber security teams coming in wearing jeans, t-shirts, maybe shorts… you either want the best of the best to help develop your country, or you don’t.” As he states, Australia needs to get with the times. For example, he recognizes that companies and government bodies in the US and Europe will have no problem with hiring foreign citizens for roles in cyber, while in Australia they are more reluctant to invite non-citizens into security spaces. “If Australia were to open up, they would see cyber maturity”.
Cathey compares the US with his new home of Japan: “From what I’ve seen the US, especially over the last ten years, is a lot of people throwing money at solutions”. In contrast, “Like Japan always is, they are laid back. Cool, calm, collected and they looked at it. Then about six years ago they jumped into it…There’s a three-to-five-year lag on cyber security coming to Japan”.
Kiyokawa explains: “The Japanese tend to think that, fundamentally, people are good. In the US, it’s the opposite. Not that they think that everybody’s evil, but that bad things will happen. There’s a difference in mindset”. He observes that, in general, cyber workers in Japan spend a lot more time planning, but the solution is often perfect. He also thinks that Japan could explore growing and developing CISOs, as until now these roles have rarely been created in-house: “I think it comes from larger organizations’ preference to grow people as generalists and then relying on partners for specialized areas.”
Kulach reckons that the pandemic will play its part in Japan’s cyber development, “COVID was a great opportunity for Japan to mature in IT and technology. What I encountered while being in Japan was a dramatic disconnect between how Japan is seen from the outside as a technology country and what you actually get when you speak to people involved in IT or security.
“In the Netherlands and in the surrounding countries there are many universities that are actually teaching cyber - many people graduate in cyber security! That’s the main difference that I’ve found with Japan”.
When it comes to roles in the future, Cathey’s stance is firm: “I truly believe that we have to look more toward techno-leadership”, with the reason being that the person managing the defense needs to have at least as much technical knowledge as their opponent.
Kiyokawa’s own forecast is not too different. He predicts that, “Within three years there’ll be more talent coming out of in-house specialists that have a holistic view of security and broad experiences and understanding of all domains within security. They would start to have more senior leadership roles”.
Given the ever-changing dangers posed to security systems, what will these tech leaders face? Kulach warns that “the threat landscape will change”, something Mercz echoes: “I think we will continue to see the evolving threat landscape that we have observed since the start of the COVID-19 pandemic. Remote working brought new challenges: just think of all the (sometimes senior) managers working at home, many on insufficiently secured personal wireless networks, or even working from a coffee shop.”
As Wieseler puts it, “Demand is rising and things are getting more complex, too. And complexity, in general, means less secure. In three years we will have an even bigger demand throughout the supply chain”.
While technical skills would prove useful when starting a career in cyber, they are not the be all and end all, says Eltahawy, as they will only get you so far. In his words: “I would recommend for most professionals to link their technical skills with their soft and communication skills. That will help with their ability to speak the business language… that way, they’ll be able to get the support needed to improve the security push of their organization”.
Mercz points out that “most work is done in teams, and by collaborating with other people. Understanding them, understanding their motivations and forming strong connections will help you advance your career”.
Knowledge of the environment in which you work is vital, says Grunden. He says that those with too narrow a focus run the risk of becoming blind to what’s around them, leaving them unaware of not just what they are impacting upon, but what is affecting themselves. Kiyokawa has a similar outlook, and stresses that you can’t do security work without an understanding of the technology and the business. He concludes: “I think generalists have a lot to contribute… their security experience might be limited but that have a solid understanding of all aspects of the business. That’s something a security specialist would typically lack. They can do a Pen test all day but they don’t know what they’re Pen testing. It’s about striking the right balance”. Similarly, Mazhar believes that being a generalist is important for moving up the ladder.
Mercz also adds: “Targeted studies will already set you on a certain path, but I would still urge all young talent to first fully understand their options, and then plan their career towards a certain role”.
For Eltahawy, it comes back to that word “passion”. His tip is that “if you find your passion and love what you do, you’ll be able overcome the challenges that come with the job and career that you’ve chosen, and you’ll be able to stand out and succeed”. However, he warns that alone won’t be enough: "You're going to have to keep going, you're going to have to learn".
As Fares says, “Cybersecurity is first a passionate world. So be passionate. Always look for topics that interest you in cyber and follow them”.
“Having the passion to spend your own time on understanding the latest technologies and industries and keep up with that is going to be a big factor”, confirms Kiyokawa. Mazhar agrees, recommending that “you need to have a learner’s mindset if you want to have a career in cyber security… you shouldn’t stop upskilling”. As she adds, “Cyber security is LIFE – Learning is forever!”
Ultimately, this requirement to constantly educate oneself is key to career in cyber. For Kulach, this is where a passion became a vocation. “If you think security is just something you just can do on the side, then it’s probably not the job for you because of the rapidly-changing environment and the need to keep up with the skills and the technology”, he advises. In Fares’ words: “What you master now will be nothing tomorrow, so you have to learn all the time”.
Wieseler sums it up in a way that we can all relate to: “There’s actually a lot of things driving you day-by-day to learn more, read up more, to be actually able to get ahead of the bad guys!”